Computer

SECURITY
CONFIDENTIALITY AND DATA INTEGRITY,
AVAILABILITY

1
Computer Security Overview
• “The protection afforded to an automated
information system in order to attain the
The NIST applicable objectives of preserving the integrity,
Computer availability and confidentiality of information
Security system resources”
Handbook • Includes
defines hardware, software, firmware,
the term information/data and telecommunications.
Computer
Security
as:
The CIA Triad
 The CIA Triad
This definition introduces three key objectives that are at the heart of computer security:
• Confidentiality: This term covers two related concepts:
— Data confidentiality : 1 Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
— Privacy : Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
• Integrity: This term covers two related concepts:
— Data integrity : Assures that information and programs are changed only in a specified and
authorized manner.
— System integrity : Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to authorized users.

4
 Key Security Concepts
Confidentiality Integrity Availability

• preserving authorized • guarding against improper • ensuring timely and

restrictions on information modification reliable access to and use
information access and or destruction, of information
disclosure. • including ensuring
• including means for information
protecting personal nonrepudiation and
privacy and proprietary authenticity
information
Levels of Impact
Low Moderate High
The loss could be
The loss could be The loss could be
expected to have
expected to have expected to have
a severe or
a limited adverse a serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals
Computer Security Terminology
Adversary (threat agent)
◦ An entity that attacks, or is a threat to, a system.

Attack
◦ An assault on system security that derives from an intelligent threat; a deliberate
attempt to evade security services and violate security policy of a system.
Countermeasure
◦ An action, device, procedure, or technique that reduces a threat, a vulnerability,
or an attack by eliminating or preventing it, by minimizing the harm it can cause,
or by discovering and reporting it so that corrective action can be taken.
 Computer Security Terminology
Risk
◦ An expectation of loss expressed as the probability that a particular threat
will exploit a particular vulnerability with a particular harmful result.
Security Policy
◦ A set of rules and practices that specify how a system or org provides
security services to protect sensitive and critical system resources.
System Resource (Asset)
◦ Data; a service provided by a system; a system capability; an item of system
equipment; a facility that houses system operations and equipment.

8
 Computer Security Terminology
Threat
◦ A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm.
Vulnerability
◦ Flaw or weakness in a system's design, implementation, or operation and
management that could be exploited to violate the system's security policy.

9
Security Concepts and Relationships

10
 Assets of a Computer
System

H
S
D
o
m
m
u
n

a
o
i
c
a
t

fr
i

a
o
n

td
a
c
i
l
i

twa
t
i
e
s

a
n
d

r
a
n
e
t
w
o

e
r
k
s
Assets of a Computer
System
 The assets of a computer system can be categorized as
follows:
 Hardware: Including computer systems and other data
processing, data storage, and data communications devices
 Software: Including the operating system, system utilities, and
applications.
 Data: Including files and databases, as well as security-related
data, such as password files.
 Communication facilities and networks: Local and wide area
network communication links, bridges, routers, and so on.

12
Computer and Network Assets

Jamming

13
 Data Confidentiality ◦ connection confidentiality
Service
◦ connectionless confidentiality

◦ selective-field confidentiality

protection of transmitted data from passive ◦ traffic-flow confidentiality

attacks

protects user data transmitted over a period

of time

14
 connectionless integrity service
Data ◦ provides protection against message
Integrity modification only
Service
connection-oriented integrity service
◦ assures that messages are received as sent
◦ no duplication, insertion modification,
can apply to a stream of messages, a single reordering, or replays
message, or selected fields within a
message

with and without recovery

15
 a variety of attacks can result in the loss of or
reduction in availability
◦ some of these attacks are amenable to
Availability authentication and encryption
Service ◦ some attacks require a physical action to
prevent or recover from loss of availability

◦ depends on proper management and control

of system resources

a service that protects a system to ensure

its availability
◦ being accessible and usable upon
demand by an authorized system
entity

16
Security Implementation

Prevention Detection

Complementary courses
of action

Recovery Response

17
Security Mechanism
Feature designed to
◦ Prevent attackers from violating security policy
◦ Detect attackers’ violation of security policy
◦ Response to mitigate attack
◦ Recover continue to function correctly even if attack succeeds

No single mechanism that will support all services

◦ Authentication, authorization, availability, confidentiality, integrity, non-
repudiation
18